CounterMeasures - A Security Blog � Encryption

DigiNotar, Iran, Certificates and YOU

Rik Ferguson — Mon, 05 Sep 2011 11:57:50 +0000

The story that has been slowly breaking over the past few days regarding the compromise at Dutch certificate authority DigiNotar and the subsequent “theft” of many important credentials is one that is of huge importance for internet users, governments and even the trust foundation that underlies the internet in general.

What has happened exactly?

DigiNotar is a trusted authority. That means that they can issue certificates that allow websites offering secure, encrypted communications to prove that they are who they say they are. Think of it as a digital passport. When you browse to your bank, your email provider or any other secure site, in the background these certificates are exchanged before secured communications can begin. Your web browser contains a list of “root authorities” whose certificates can be trusted. If a web site presents a valid certificate then your browser will trust it and begin encrypted communications. When the certificate is valid, this all happens transparently to you, the end user. DigiNotar’s security has been compromised and a large number of fraudulent certificates have been issued. A full list can be found here (CSV file), although it should be stated that this list may yet grow over time.

What is a valid certificate?

A valid certificate is one that matches the name of the site that is using it, that has an expiry date that has not yet been exceeded and critically is signed by a trusted authority. It is this last step that is normally difficult for those with malicious intent to overcome. If I present an faked, expired or otherwise fraufdulent certificate, your browser will alert you and you may well choose not to continue the communication.

So what does this mean?

If I can set up a “man-in-the-middle”, for example a proxy server, between you and your bank it is very simple for me to intercept and read plain old HTTP traffic as it is not encrypted. However HTTPS traffic would be a problem, it is encrypted and I don’t have the keys to decrypt it, the encryption is between you and your bank. If I have a valid certificate that appears to come from your bank I can overcome this problem, my proxy can pretend to be your bank, present the right credentials and I can decrypt and read all your content, before I pass it on to the real final destination.

Who is at risk?

In a normal situation where I am browsing the internet I can connect directly from my computer to my bank I am on a network I trust and I am not at risk. If however all my traffic must pass through a proxy, either at my Internet Service Provider or at state level, which is the case in some more restrictive nations, then I am at risk. The owner of the proxy can make use of fraudulent certificates and act as a man-in-the-middle. There is also a risk on public networks such as wi-fi hotspots, again the hot-spot provider will often make use of a proxy. Under normal circumstances encrypted traffic will simply be passed through untouched, but if I have a shady certificate and malicious intent I can intercept your traffic.

Alternatively I could infect your system with malware that configures your computer to pass all your traffic through a proxy of my choice, wherever you are located. For this to be effective I would need to be able to install code on your system to make these changes. At least one of the fraudulent certificates allows “code signing” meaning it can be used to certify that a program is from a valid publisher so this possibility certainly exists in theory.

Trend Micro’s Feike Hacquebord has uncovered concrete evidence that the fraudulent certificates issued as a result of the DigiNotar compromise have disproportionately and suspiciously affected users based in Iran (link to TrendLabs blog to follow). In Iran, all web traffic must pass through state approved proxies, the perfect man in the middle. In this scenario, the “benefits” of owning fraudulent certificates are clear. All encrypted traffic for affected destinations can now be decrypted at will and the end-user will be entirely unaware. It has been reported that the fraudulent certificates obtained include certs for *.com and *.org, meaning that all traffic for any web site with one of these suffixes can be intercepted.

Is the internet broken?

Does this event undermine the foundations of trusted communication online? Not entirely, although it certainly highlights a weak link in the chain. Authorities that are trusted to certify the identity and validity of web servers have a responsibility to ensure that the security of their systems and networks is second to none; they represent the top of the food chain. Having said that, security should always be designed on the assumption that a breach will occur. The key to successfully responding to such an event lies in the honesty and transparency of an authority that has been the victim of such an attack. Details of any such breach should be made public immediately so that the bad certificates can be revoked and will no longer be accepted by browsers around the world, thus mitigating the effect of such an attack. Unfortunately in the case of DigiNotar the extent of the breach was reported as minimal at the outset and the full details are only now becoming clear, several days later. We now know that 531 bad certificates have been issued, including those for *.*.com and *.*.org, making the certificates for WindowsUpdate look tame by comparison. The compromise at DigiNotar happened in July of this year, at the time of the initial investigation the fraudulent cert for google.com was not discovered, meaning that that one at least was in the wild for over a month.

Trust in all certificates issued by DigiNotar has already been revoked by many browser and operating system manufacturers and the consequences for DigiNotar as a company are likely to be severe, possibly fatal.

5 Security Questions for your SaaS provider

Rik Ferguson — Thu, 04 Aug 2011 12:49:51 +0000

used by permission from ky_olsen's Flickr stream

Software as a Service is seeing sustained growth and sustained adoption in both enterprise and in the home. According to a Gartner release in July 2011, Software as a Service revenue reached $10 billion in 2010 and is still growing. In fact Gartner estimate growth of over 20% 10 $12.1 billion on 2011.

The Gartner definition of Software as a Service is software that is “owned, delivered and managed remotely by one or more providers. The provider delivers an application based on a single set of common code and data definitions, which is consumed in a one-to-many model by all contracted customers anytime on a pay-for-use basis, or as a subscription based on use metrics”. The example that is cited in almost every article and presentation on the subject is Salesforce.com, and while they are a major provider in the SaaS arena it is important to recognise that SaaS comes in many different flavours. Customer Relationship Management, Human Resource Management, Cloud backup, Collaboration platforms, accounting platforms, helpdesk management, managed services and web or email filtering to name but a few.

The economic benefits, to providers and customers alike are relatively obvious to spot, the cost of user provisioning (the SaaS model) when compared to the cost of application acquisition, licensing and rollout (the on-premise model) is extremely attractive. The SaaS provider is able to more quickly and easily update and manage the software and service due to its centralised nature, application improvements are easier to make as a result of the visibility the provider has of customer usage patterns and the scalability and pay-per-use is attractive for both customer and provider. In addition the possibilities for integration and open interfaces are greater, with many SaaS providers already offering social media-like collaboration functions or open interfaces (APIs).

While SaaS may offer a flexible and cost-effective alternative to a traditional application environment, it is not without risk. By moving to a hosted platform, as opposed to in-house, enterprises must necessarily sacrifice a large element of control over parts of their operating environment. With SaaS in particular, almost the only choice you have is whether you upload certain data or not, the rest is largely out of your hands. You do of course retain the legal and regulatory accountability for the security of your data.

The risks in a SaaS environment are many, and largely related to the benefits offered. As I mentioned previously, your provider has access to your usage habits of the platform, normally through some kind of web analytics, they also have the capability of accessing all of your data and this in itself presents the risk of unauthorised access or monitoring by an insider.

The centralised nature of the system and the “one configuration fits many” model of the multi-tenanted environment means that, should a vulnerability affect one customer, there is a strong possibility that other customers will be equally affected. The Epsilon breach is one of the more recent examples and it affected many Fortune 500 companies using the same SaaS provider. The scope for exploits of vulnerabilities is wide. Common protocols and the software stack are used by most SaaS providers (HTTP, XML/SOAP, JSON, CSS and JavaScript) and these are readily and regularly exploited if not correctly engineered, implemented or configured. Additionally, the more scope a platform offers for customisation and external integration (a key selling point for SaaS vendors), the more chance there is that some other customer will introduce a vulnerability from which another may suffer the consequences. Such is the nature of a multi-tenanted environment.

5 Key security questions to ask your SaaS provider:

1 – Penetration testing – How is the environment pen tested, how often and do you have the ability to independently pen test your own part of the environment? Without regular, in-depth pen testing you have no visibility of your current security posture.

2 – Data Security – How is data encrypted in storage and in transit across the shared resources of the SaaS provider data centre? Who has access to the keys? Is separation of duties and separation of keys and data maintained? Can the provider offer you a SAS 70 report?

3 – Multi-tenancy – Is there an option that provides for single tenant hosting? Also explore whether this single tenancy comprises simply the application or also the data storage?

4 –Disaster Recovery – In the event of catastrophic failure, or external intrusion and data loss what backup and recovery procedures are in place? Where is backed up data stored (and encrypted again) and how is it effectively restored?

5 – User Authentication – What is the sign on procedure for the SaaS application? Are multiple factors in use? Is it possible to integrate sign-on with authentication structures already in use by the customer?

What the Hack is going on?

Rik Ferguson — Thu, 16 Jun 2011 14:51:28 +0000

Used under creative commons from brittgow Flickr

With all the recent news stories of successful hacking attacks of some very prominent organisations, this seems like an entirely reasonable question. The litany of victims is impressive including such luminaries as Google, RSA, Visa, MasterCard, Citibank, Epsilon, the US Senate, the UK National Health Service, Fox, Sony (of course) and just last night the CIA website was targeted with what a Distributed Denial of Service Attack. The amount of prime time coverage these various activities are getting is prompting several questions. Is this hacking group stuff something new? Is this cyber-espionage or even cyber warfare? What impact will this have on me and the future of the internet?

The idea of a hacking group is certainly not a new phenomenon, in fact they began to flourish in the early eighties, the early days of home computing, acting as a forum for members to share information, learn and compare skills. Early groups bore names such as Legion of Doom, Cult of the Dead Cow or Masters of Deception and specialised not only in the nascent internet hacking scene and are responsible for the birth of hacktivism, but also in the perhaps dying are of phreaking (abuse of public telecommunications networks). The nineties saw the rise of a different kind of hacking group, L0pht Heavy Industries who operated more as a research organisation, providing software tools for penetration and security testing and issuing advisories. This group also famously testified to the US Congress that they could take down the entire internet in under 30 minutes back in 1998. L0pht later merged with @stake, who were eventually acquired by Symantec.

Now in the noughties we have witnessed the rise of Anonymous, and more recently LulzSec. Anonymous as a collective is something that began on message boards like the infamous 4chan, for the purposes of attacking the Church of Scientology, and has with generous media coverage evolved into a bigger deal. Instead of being a relatively closed group, Anonymous instead actively sought the participation of the general public when they began their actions in support of Wikileaks. Tens of thousands of volunteers are downloading tools which enable them to participate in the global assault on businesses with whom they feel personally aggrieved. The latest versions of this tool includes functionality which means the user can hand of control of their weaponised computer to a central authority (Anonymous) to better direct and control the attacks. Lulz Sec on the other had maintain the tradition of the closed group, and according to their own web site have no motivation but anarchy,

“We’re LulzSec, a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: fun. Considering fun is now restricted to Friday, where we look forward to the weekend, weekend, we have now taken it upon ourselves to spread fun, fun, fun, throughout the entire calendar year“.

Of course similar groups have emerged around the world in places as far flung as Pakistan and India, where there is fierce competition between the groups. In Romania groups such as HackersBlog have hit various companies. In China and Russia, many hackers are believed to act as proxies for their governments.

It’s not all about the hacking for fun and kudos gangs, organised criminal groups have been with us for many years now, and the last 12 months or so has seen a marked increase in the frequency of attacks on online aggregations of information, such as Sony, Epsilon or Citibank for the purposes of theft of information for financial reward. One single attack, if successful can yield such a vast amount of saleable or otherwise abusable personal data, that I’m only surprised the attacks took so long to gather pace.

Another phenomenon that has risen to prominence recently is purported nation-state activity. Again, despite recent press coverage this is also nothing new, the Titan Rain attacks for example date back to 2003 where the finger was firmly pointed at China for the theft of large amounts of information from military and governmental targets, gh0stnet in 2007 was similarly blamed on China, as were the Aurora attacks the following year. This year has already seen similarly motivated attacks on RSA, the European Council, the French Finance Ministry, the Canadian government, Lockheed Martin and of course Stuxnet.

So many technological and cryptographically advances have their roots in the centuries old art of espionage, we should really not be surprised to see national foreign intelligence services making use of cutting edge tools and techniques to further their national or economic interests.

None of this represents a global online meltdown, or the end of the internet economy or national security as we know it. Like everything else in this world we can trace a simple process of evolution at work here. Security companies, individuals and enterprises must evolve to keep pace and just maybe learn some of the lessons that some of these guys have been teaching us for years now. Encrypt your data, develop securely, configure correctly, test your defences effectively, use complex passwords, shield your vulnerabilities and build your systems under the assumption that a breach *will* happen.

So secure we don’t need security?

Rik Ferguson — Wed, 25 May 2011 13:52:32 +0000

With the launch announcements of various Google Chrome netbooks, the focus of the press and security companies alike is beginning to take a closer look at the security promises made and also at some of the more, um… media friendly statements such as “users don’t have to deal with viruses, malware and security updates”.

Let’s have a look at some of the security features of Chrome OS:

1 – Get out of my playpen. Each process runs in its own sandbox, effectively this means that if an application is malicious or compromised it is unable to interact with or otherwise affect other applications or processes on the system.

2 – Always up-to-date. Automatic updating, patches or feature updates will be downloaded and installed by default, this is a mandatory process designed to stop the user from opting themselves out of security.

3 – Always start with a clean slate. When Chrome OS is started up, it will check the integrity and validity of system files and if it detects any anomaly or unauthorised change, the system will revert to the known-good state, effectively neutralising any suspect activity at every reboot. The separation of user files and system files makes this a simple and effective process.

4 – (Almost) No desktop applications. Every application in Chrome OS will run inside the browser, discrete desktop applications will simply not exist; all apps are effectively web apps. The OS does afford the possibility of browser plug-ins locally so the end user still has some influence over the operating environment. These plug-ins of course will be sandboxed. Google has recently made a Software Development Kit available for the creation of Chrome “Native Apps”

5 – Nothing to see here. No user data is stored locally on Chrome machines. All user data is stored in the cloud and encrypted, theoretically data theft by malware or intrusion is made more complex.

So, what do I think? Well, the existence of the SDK seems to demonstrate that the “sterile environment” of an out-of-the-box Chrome netbook, may be about as long lived as an untouched Android device. Of course the sandboxing technology is designed to ensure that even a bad native app can’t misbehave. Well, exploits that break out of sandboxing have already been demonstrated for Internet Explorer, for Java, for Google Android and of course for the Chrome browser (to name but a few), while the Google sandbox is effective, it is not impenetrable and to rely on it for 100% security would be short-sighted.

As regards the notion of the operating system always reverting to a known good state at reboot and the security afforded by encrypted data being stored in Google’s cloud, well surely that’s just moving the goalposts for the bad guys. For much of today’s malware, one of the primary goals is persistence. This will be much more difficult (see how I hesitate to say impossible) in the Chrome environment, so the motivation will shift. If I can infect you for one session and steal your keys, well then I’ll get what I can while I’m in there and then continue accessing your stuff in the cloud, after all I’ve got your keys now, I don’t need your PC anymore. The beauty of that for criminals is that the victim may be even more unaware than they are now that they have been compromised.

While I applaud the impressive advances in security that are apparent in Chrome OS, to a certain extent we are seeing marketing history repeat itself. How often did the mantra that MacOS was immune to malware need to be repeated until the vast majority of users believed it and continue to do so, even after Apple went as far as incorporating rudimentary AV software into MacOS?

Criminal activity extends far beyond file-based threats, encompassing social engineering, phishing, social networks and email borne threats. The palette is continually expanding and the techniques are continually evolving, to assure your customers that they will not have to deal with online cybercrime, simply by switching OS is foolish to say the least.

Russian Security Service proposes ban on Gmail, Skype, Hotmail

Rik Ferguson — Sat, 09 Apr 2011 12:02:51 +0000

In an echo of the move by governments including India, Saudi Arabia and the United Arab Emirates to ban the use of certain encrypted Blackberry services last year, the Russian Federal Security Service have cited Skype, Gmail and Hotmail as a “threat to national security” and has suggested a ban.

According to a release from ITAR-TASS, head of the FSB Information and Special Communication Centre, Alexander Andreyechkin stated:

“Uncontrollable use of such services can create a major threat to Russia’s security“

Andreyechkin reportedly went on to argue that, because the servers and encryption technology used all reside outside Russia it creates difficulty in carrying out investigations, asserting that these services are often used by “foreign extremists”.

The remarks, made before a government Communication & Technology committee meeting, which subsequently continued without press presence, appear to have cause a certain amount of confusion in the Kremlin. Dimitry Peskov, press secretary to Vladimir Putin confirmed that this opinion represented the official position of the FSB, saying “FSB representatives don’t express personal points of view. Naturally, that was the position of the agency“. Whereas Russian Communications minister Igor Shchegolev stated “We have no plans to cancel or close Skype, gmail, hotmail or any other foreign internet services in Russia“, adding perhaps a little more worryingly, “We are now discussing how to regulate such technologies, including economically.“

The main cause of concern for the FSB seems to be in the encryption employed by these services and the aim appears to be either to deny access to services such as these, or to use the threat of such a ban in order to open negotiations to improve the access of Russian security services to encrypted information. The countries that threatened a ban on Blackberry use reached an agreement with RIM, the Blackberry manufacturer, that allowed usage to continue uninterrupted, details of this compromise have never been revealed.

Vladimir Putin is currently heading a committee, set up by the Communication & Technology commission, charged with setting out a plan to regulate the mass use of internet encryption technology within Russia. The committee is due to report on October the 1st of this year. Watch this space…

Data mining for bad guys

Rik Ferguson — Tue, 05 Apr 2011 09:22:24 +0000

My notification mail from Hilton HHonors

Over the past three days many of us have woken up to an unwelcome sight in our email inboxes. A notification that your email address was among those exposed in what may be the biggest data theft of its kind, the data breach at the “database marketing vendor” Epsilon. Today I got my first one and I’m far from alone.

The list of companies affected by this intrusion is already long, but seems to still be growing. The notification mail I received was from Hilton HHonours, the loyalty scheme for Hilton hotels. Other affecetd companies include: American Express, BestBuy, Borders, Capital One, Citibank, Disney, The Home Shopping Network, JP Morgan Chase, Marriott Rewards, Ritz Carlton, TiVo, US Bank, Verizon & Visa, to name but some.

No details have been made available regarding how the data was accessed beyond the initial statement made on the 1st April by Epsilon and the breach notification mails continue rolling in to affected individuals.

Epsilon state that the “unauthorized entry into Epsilon’s email system” affected just 2% of their customers and that they comprise only a subset of the clients to whom Epsilon provide email services. Given the list of names of affected institutions known thus far then, you have to wonder if the attackers were able to browse the entire database at will and extract only what they considered to be the most valuable information.

Every notification email and also the public statement from Epsilon reassures us that “only” names and email addresses were “obtained” (read stolen) and that no other information, financial or otherwise is at risk. Unfortunately, this downplays the level risk to customers and is also misleading.

Not only do the criminals know your name and email address, they know where you go shopping, where you bank, which hotels you stay at and much more. If you are unfortunate enough to have received multiple notifications, just imagine what kind of profile is now in criminal hands.

The risk from spear-phishing (highly targeted phishing) is hugely increased as a result of this data breach and people should be more vigilant that usual when receiving emails from affected institutions that may request personal information.

It is important to remember though, that phishing is not the only criminal activity facilitated by this fraud. This gold mine of information makes credible malicious mails much more simple to design. An email may appear to come from from an organisation or shop of which you are known to be a customer. It will be designed solely to get you to click on a link. In the complex world of online crime you are often only one click away from compromise and infection without any user interaction beyond that first click. If a criminal can own your PC, they don’t have to ask your for your personal details, they can simply take them, and much else besides.

So, for those affected by this breach, (note to self):

Pay careful attention to emails your receive in the coming months, perhaps years.
Never surrender personal information to a website without having used one of your own bookmarks to get there or typing it yourself (i.e. don’t follow links in mails).
Before giving out personal details, ensure that the connection is secured with SSL. You can see this is the case if the address starts with “https://“. If it’s not encrypted they don’t deserve your data.
Read the privacy agreement carefully before you hand over any details. If there is anything you are unhappy with reconsider your decision to sign up.
To better insure yourself against this kind of eventuality in future consider using unique addresses for each service, I wrote an article on how to easily achieve this here.

And for all of the companies out there that process, store or transmit personal data belonging to other people… ENCRYPT IT, no excuses, no get out clause. This is only the beginning and you owe your customers a duty of care.

Criminals living the Lush life.

Rik Ferguson — Fri, 21 Jan 2011 13:26:30 +0000

used under creative commons from rieh's Flickr

The web site of the cosmetics company Lush has been compromised and a number of credit card details stolen over a period of almost 4 months, including the busy Christmas shopping season, some of them have already been used to make fraudulent purchases. Customers in the Lush facebook page are far from happy.

The consequences of the hack were so grave, and the effect on the trust that Lush were able to place in their online store were so serious that the entire Lush website has currently been taken offline and replaced with a single page offering limited details of the attack.

A statement on the website says:

“Our website has been the victim of hackers. 24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website. For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.”

I was initially alerted to the attack by one of my own friends whose card, along with her husband’s have subsequently been used to make fraudulent purchases totalling almost £6000 from well-known online retailers.

The risk of these stolen card numbers being used by criminals has already moved from the theoretical to reality.

For the most part shopping online is as safe as shopping in store, but when a compromise occurs at an online merchant often its consequences are far greater, affecting many more people than in store card cloning due to the centralised nature of online stores. If you feel you may have been affected, contact your bank immediately.

Consumers should be demanding more services such as one-time credit card numbers from their financial institutions to afford them more protection when shopping online. One-time credit card numbers were introduced back in 2000 by AmEx but have not been as widely adopted by consumers as I would have expected. Talk to your bank, find out what security they offer for online shopping.

Lush haven’t gone public over exactly how the information was accessed, but it’s never a bad idea to restate a few best practices for securing web applications:

Keep them patched.
NEVER store sensitive data in clear text (in fact this is a PCI requirement).
Get them regularly vulnerability scanned from the inside as well as the outside.
Use strong authentication (2 factor) if you are only serving a limited user population or if the data you are holding is particularly sensitive. Cookies can lead to session hijacking.
Bounds checking of input data helps to avoid buffer overflows and SQL injection type attacks.
Provide access to information on a Need to Know basis and always provide it with Least Privilege.
Don’t provide detailed error information to browsers, you don’t expect your customers to debug your application, so don’t give up that error message.

Finding the G-Cloud.

Rik Ferguson — Wed, 19 Jan 2011 13:22:16 +0000

A report released this month by the
European Network and Information Security Agency (ENISA) has investigated the utility and applicability of cloud services for governments across Europe.

The report, entitled “Security and Resilience in Governmental Clouds” aims to provide a decision making model that can be used by governments and other public bodies, to assess the information security challenges posed by cloud computing and to guide them in the definition of their requirements when planning such a migration.

All in all it is a thorough piece of work and should absolutely be on the recommended reading for anyone; private enterprises included, considering the commercial benefits of cloud.

One conclusion of the report though did seem at best premature, if not a little under researched. The report recommends:

“its [public cloud] adoption should be limited to non-sensitive or non critical applications and in the context of a defined strategy for cloud adoption which should include a clear exit strategy.”

On the face of it this is sensible advice but unfortunately the report does not go on to address the strategies and technologies that exist to mitigate these risks, making public cloud a viable and secure platform for enterprises and public bodies alike.

Some of the risks identified in the report are: improper access to confidential data (either at the service provider or by intrusion), service provider lock-in due to proprietary technologies, lack of audit and monitoring capabilities, concerns over application and OS patching strategies and access to encryption keys among others. Unfortunately the recommendations while sound do not offer any concrete detail on architectural strategies that overcome these issues even though this is already a technical possibility, at least in the Infrastructure as a Service model.

The multi-tenanted nature of public cloud means that organisations need to be able to reduce their effective perimeter to the edge of their virtual machine, effectively segmenting their systems away from other customers. The service provider’s network should be treated as public. In the IaaS environment the customer retains ownership of and responsibility for the patch levels of their virtual machines, host level firewalling and vulnerability shielding offer the opportunity to neutralise the threat of exploitation of vulnerability, even in the absence of a patch. Log and file integrity monitoring offer a means of audit and control and in the IaaS environment are simple to implement at host level.

The challenge of data security in public clouds has typically been more complex to answer, as encryption services are usually managed by the cloud provider. Organisations need the ability to segment their data away from other customers but also away from the service provider. Service providers need that too, otherwise they risk inheriting some serious liability. Data should be provisioned to the cloud in an encrypted format, the data owner should retain ownership and control of the keys and only the customer’s own machines should be able to get access to those keys ensuring that the data is only ever in-the-clear inside the secure perimeter of their own virtual machines.

Properly architected data encryption that operates transparently and is engineered for the cloud, encryption that is managed by the customer and not the service provider is a business enabler. It accelerates adoption of cloud services, drives down costs, and allows regulatory and legislative compliance. It means you no longer have to worry about how you’re going to delete the cloud when you decide to change service provider.

Data Breach Laws, Encryption and Having a Plan ‘B’

Rik Ferguson — Tue, 29 Jun 2010 11:43:31 +0000

from zappowbang's photostream under creative commons

Data breach laws are starting to become a serious concern for businesses of all shapes and sizes. It’s already five years since California passed data breach disclosure laws, requiring companies to notify customers of security lapses. Since then almost all other US states have joined it, many opting for penalties that could potentially land companies with a likely loss of reputation and crippling fines if customer data is lost or stolen.

Ireland published proposed measures on the subject two weeks ago. Frankly, it’s only a matter of time before the UK follows suit either through its own legislation or that of the EU.

Over on the Register, we’ve been running a series of articles about what constitutes an appropriate level of security, with the impending arrival of data breach laws adding some urgency to the discussion.

A common reaction is to demand the encryption of backup files. This appeals to companies not only because it makes it a lot less likely that any lost information can be used – you could even argue that encrypted data doesn’t even count as ‘information’ at all, following the line that information is data you can act upon. But also, it’s especially appealing to companies because encrypted data is exempt from the disclosure requirements in many forms of this legislation. So the potential loss of reputation and customer trust is hopefully avoided.

Encryption is trickier than it looks, though. First of all, what kind of encryption are you going to use? Software encryption takes time – and for larger organisations, it’s possible that the rate of data production – the proliferation of stuff you’re supposed to be backing up – could quickly exceed the rate at which data can be encrypted. Hardware encryption of backups often looks more attractive as a result, but being tied to a particular vendor with no rescue plan for when they go under is a recipe for spectacular disaster. There’s some interesting advice on this topic in this post from Securosis.

Backup hardware on its own is already proving hard to manage when it comes to finding data from more than a couple of years ago. Have you still got a tape streamer that will fit the open-reel tapes and cartridges from the early noughties? Still got a computer with a SCSI card to fit the streamer onto? Still got the cable to put the two together? I’m sure sysadmins will be delighted when they’re told to add encryption to the mix.

Now let’s throw in key management. Exactly how secure does your encryption need to be? And how secure will today’s tapes need to be in five years, a not uncommon legal retention requirement. Who will have access to encryption keys and how will they, in turn, be secured? Once again, this needs a systematic approach. There needs to be a plan and a backup plan for when it all goes wrong. Needless to say, there are products that can help with this – but as always, they can only do so much if the strategy for their implementation and management is weak.

Anyway, El Reg is conducting a poll to detect current attitudes towards encrypting data. We’ll be really interested to see the results, so make sure you add your own voice over there – and let me know what you think here in the comments box, too.

iProtect, iEncrypt… iLeak

Rik Ferguson — Wed, 02 Jun 2010 16:03:18 +0000

or, Careful With Those Naked Snaps!

I was very interested by a blog post by Bernd Marienfeldt that I read today, which appears to illustrate a serious security weakness in Apple’s iPhone data encryption implementation.

A flaw that allows an unauthorised backup to be made? Shurely shome mishtake...

The iPhone 3GS offers Full Disk Encryption using 256 bit AES encoding which should (theoretically) keep your sensitive data safe from prying eyes. It has been public for almost a year that this encryption does not stand up to even the most basic hacking or forensics tools. This latest flaw however will seemingly expose your data to anyone capable of simply booting the device; even if you have set a security PIN.

Bernd Marienfeldt has discovered that by booting a PIN protected iPhone, while it is connected to the USB port of an Ubuntu system, he could access

“music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents… by in my opinion the quickest compromising read/write access discovered so far, without leaving any track record by the attacker.”

This access was through the Ubuntu interface and did not require any PIN at all, furthermore the access was not simply read-only, but read/write.

Even on a standard Windows Vista, it's PIN not required

Further testing by heise Security has shown that it is also possible to trick an iPhone into pairing with a PC running iTunes in the same way. This is a phenomenon that I have been able to reproduce, again using a PIN protected, hardware encrypted iPhone.

This related vulnerability is even more worrying than the first. If an attacker manages to pair an iPhone with an unauthorised PC they can make a full back up the phone which would include notes, messages and even plain text passwords.

Testing indicates that this unauthorised pairing and folder access only occurs when the phone has been shut down in an unlocked state, which does serve to mitigate the risk somewhat.

However when a supposed hardware implementation of full disk encryption surrenders any data *at all* in the absence of credentials, something, somewhere is very broken.

Mr. Marienfeldt reports that Apple have acknowledged the flaw but not yet made any indications of a fix schedule.